IP-Based ATMs Are Easy to Use (and Abuse)

Tom DeSot, Credit Union Magazine
December 22, 2004

Just a few years ago, most financial institution networks consisted of a few servers with a smattering of personal computers, and possibly even some terminals for connecting to mainframes. In the past few years, however, a new technology has emerged: Internet protocol (IP)-based automated teller machines (ATMs).

ATMs have been part of the financial services industry for many years. But traditional ATMs have used customized protocols over small-bandwidth connections to contact financial institutions. What’s new is the ATMs that currently are being installed have a network card and an IP address just like a personal computer. Now they can connect to everything else on your network.

IP-enabled ATMs are a godsend for many institutions, especially those wanting to manage their own ATM networks. This new technology frees them from the expense and effort of having to install additional equipment for “hard” connections to their core hosts. IP-enabled ATMs allow the owner to simply connect the ATM to an Ethernet wall outlet, just like any other device on their network.

For those of you who don’t work in information technology, think of it this way: Every day, new vulnerabilities are discovered that can damage servers and computers running on networks all over the world. Up to this point, though, if anything did happen, any damages incurred would be electronic in nature, not in hard currency.

Now, introduce a device on your network that may be running an operating system that’s just as vulnerable as any other computer or server on your network—but with the caveat that this particular system holds containers filled with real currency!

Planning Your Defense

Fortunately, there are some simple steps any institution using IP-enabled ATMs can take to ward off a variety of attacks. Many of these steps are the same steps you’d take to ensure that your servers and personal computers were protected and secure.

Install and continuously update virus protection software. This is one of the simplest steps you can take to ensure the ATM doesn’t fall victim to many types of viruses and worms. Harden the system. You’ll need vendor assistance for this step. Turn off unneeded services and applications. In short, keep the system simple. Apply strong local passwords. Strong passwords have at least seven characters, consist of alphanumeric and special characters, and use both upper and lower case.

Patch the system. Remember, an ATM is nothing more than software running on top of an operating system just like any word processing package or spread sheet. It needs to be updated with patches regularly. Segment the ATM. Segmenting the ATMs on the network means nothing more than using a firewall to separate them from the rest of the branch/corporate network. This can be completed through the use of either a network-based or host-based firewall. Use point-to-point virtual private network technologies for all remote ATMs not on the institution’s private network. Watch the traffic. Many institutions use intrusion detection and prevention systems to monitor and block malicious traffic destined for their servers and personal computers. Use the same technology to watch IP-enabled ATMs. In short, the addition of IP-based ATMs to any network is a great way to enable another service for the institution’s clientele without introducing dramatic capital expenses. Although they introduce their own unique security issues, they can be as secure as any other system residing on the network if properly installed and managed.

Work with the ATM vendor to ensure that none of the items outlined previously would adversely affect the functionality of the ATM network. Additionally, some or all of these measures may have already been put in place by the vendor to protect installed systems.

The Next Generation of ATMs

Research from Tower Group indicates:

-ATMs are the most widely used remote delivery channel for financial services, with 58% of U.S. households using them. Currently, 26% of all financial transactions (not including bill payments) are conducted via ATMs, a rate considerably below that for branches but still much higher than for remote channels.

• Two-thirds of active ATM users have been surcharged at some point. Of those, half say they'll no longer use ATMs that surcharge, while 41% say they limit their use of such ATMs. Only 6% say surcharges don't change their ATM use behavior. Still, there’s evidence that surcharges have little or no negative effect on ATM transaction volumes.

-Sixty percent of active ATM users use this channel only for routine transactions: withdrawals, deposits, and balance inquires. In fact, these make up 83% of all ATM transactions, leaving a relatively small number of nonroutine transactions.

-Consumers are surprisingly positive toward the idea of biometric-based security measures at the ATM. Fingerprint-based biometrics are rated the most acceptable solution; voice-based systems are considered the least attractive. Sixty-one percent of active users say they'd be likely to use an ATM that uses fingerprint identification, rather than personal identification numbers, to make secure transactions.

Tom DeSot is vice president of operations at Digital Defense Inc. in San Antonio. Contact him at 888-273-1412. This article first appeared in Credit Union Magazine at http://creditunionmagazine.com and is reprinted with permission.